2 <Opengate ConfigVersion="1.5.0">
4 <!-- #################################################
5 ####### NEED TO MODIFY FOLLOWING PARAMETERS ##### -->
7 <!-- #########################################################
8 ## Opengate gateway server hostname(FQDN or IP address)## -->
10 <OpengateServerName>opengate.og.saga-u.ac.jp</OpengateServerName>
12 <!-- #######################################################
13 ## Authentication servers (can set multiple servers) ##
14 ## REFER document at the end of this file ## -->
17 <Protocol>pop3s</Protocol>
18 <Address>192.168.0.2</Address>
21 <!-- ##########################################################
22 #### usually, need not to modify following parameters #### -->
24 <!-- ###################################################
25 if you want to switch parameters with userID or extraID
26 (entered by user as [userID@extraID] in auth page),
27 REFER the information of ExtraSet at the end of this file.
28 ################################################### -->
30 <!-- Debug dump level -->
31 <!-- Set 0 to write only open/close and error messages to syslog -->
32 <!-- Set 1 to write some information adding to 0 -->
33 <!-- Set 2 to write many information to syslog -->
36 <!-- client usage watch mode in default('Http', or 'Time') -->
37 <WatchMode>Http</WatchMode>
39 <!-- Syslog (local0, local1, .., local7)-->
42 <Facility>local1</Facility>
45 <!-- SQLite database file -->
46 <SqliteDb>/tmp/opengate.db</SqliteDb>
48 <!-- Allowable duration for users to use network(seconds) -->
49 <!-- If no connection with http, network is closed after this. -->
51 <Default>300</Default>
55 <!-- Client Live Check (seconds) -->
56 <!-- In HTTP connection, existance of HELLO request. -->
57 <!-- In no connection, check mac address mismatch and no packet. -->
58 <ActiveCheckInterval>50</ActiveCheckInterval>
60 <!-- Close when no packet is passed between the interval -->
61 <NoPacketInterval>5400</NoPacketInterval>
63 <!-- Watch client with Http Keep-Alive -->
65 <!-- HTTP_USER_AGENT that is not compatible with http watch mode -->
66 <!-- defined by "POSIX Extended Regular Expression" -->
67 <SkipAgentPattern>^$</SkipAgentPattern>
70 <!-- IPFW rule number range and tag number used by opengate -->
74 <Interval>2</Interval>
77 <!-- IPFW Tag number used in rc.firewall -->
78 <IpfwTagNumber>123</IpfwTagNumber>
80 <!-- Port number range used by opengate -->
86 <!-- communication reply timeout(second) -->
87 <CommWaitTimeout>10</CommWaitTimeout>
89 <!-- http reconnect timeout(second) -->
90 <ReconnectTimeout>180</ReconnectTimeout>
92 <!-- ipfw exclusive exec lock timeout (second) -->
93 <LockTimeout>10</LockTimeout>
95 <!-- max delay from fwd.cgi to auth.cgi (second) -->
96 <ForwardingDelay>300</ForwardingDelay>
99 <!-- Available HTML languages (first lang is used as default) -->
100 <HtmlLangs>en ja</HtmlLangs>
102 <!-- Path to Apache Contents -->
103 <DocumentRoot>/usr/local/www/apache22/data</DocumentRoot>
104 <CgiDir>/cgi-bin</CgiDir>
105 <OpengateDir>/opengate</OpengateDir>
107 <!-- HTML Documents (in each language dir)-->
108 <DenyDoc>deny.html</DenyDoc>
109 <AcceptDocHttp>accept-http.html</AcceptDocHttp>
110 <AcceptDocTime>accept-time.html</AcceptDocTime>
111 <AcceptDoc2>accept2.html</AcceptDoc2>
112 <AuthDoc>index.html</AuthDoc>
113 <AuthDocSsl>index-ssl.html</AuthDocSsl>
114 <FwdDoc>topindex.html</FwdDoc>
115 <RetryDoc>retry.html</RetryDoc>
116 <HttpKeepDoc>httpkeep.html</HttpKeepDoc>
117 <SkipAuthDoc>skip-auth.html</SkipAuthDoc>
119 <!-- CGI programs -->
120 <AuthCgi>opengateauth.cgi</AuthCgi>
121 <FwdCgi>opengatefwd.cgi</FwdCgi>
122 <MainCgi>opengatesrv.cgi</MainCgi>
124 <!-- JavaScript (in opengate dir) -->
125 <HttpKeepJS>httpkeep.js</HttpKeepJS>
126 <Md5JS>md5.js</Md5JS>
128 <!-- URL used for retrying -->
129 <ExternalUrl>http://www.google.com/</ExternalUrl>
131 <!-- Url to start browsing after authentication -->
132 <!-- type:0=acceptdoc2.html,1=below Url,2=redirected(requested) Url -->
135 <Url>http://www.yahoo.com/</Url>
138 <!-- authentication by http-cookie is allowed(1) or not(0) -->
139 <EnableCookieAuth>1</EnableCookieAuth>
141 <!-- Related command path -->
142 <ArpPath>/usr/sbin/arp</ArpPath>
143 <NdpPath>/usr/sbin/ndp</NdpPath>
144 <IpfwPath>/sbin/ipfw</IpfwPath>
145 <PsPath>/bin/ps</PsPath>
147 <!-- Ipfw is opened via perl script(1) or direct from C(0) -->
150 <Path>/etc/opengate/ipfwctrl.pl</Path>
153 <!-- Lock file for exclusive exec to prevent overlapped rule number -->
154 <LockFile>/tmp/opengate.lock</LockFile>
156 <!-- Separate char between userID and extraID [userID@extraID] -->
157 <UserIdSeparator>@</UserIdSeparator>
160 <!-- #### Config for exceptional users, See below document #### -->
161 ## To use below sample, remove the XML comment mark ##
163 <!-- ## ExtraSet sample 1 ##
164 <ExtraSet ExtraId="guest">
166 <Address>192.168.0.1</Address>
167 <Protocol>ftp</Protocol>
169 <IpfwTagNumber>999</IpfwTagNumber>
172 ## End of sample 1 ## -->
174 <!-- ## ExtraSet sample 2 ##
175 <ExtraSet ExtraId="admin">
177 <Protocol>pam</Protocol>
180 <Address>192.168.0.1</Address>
181 <Protocol>pop3s</Protocol>
182 <Timeout>10</Timeout>
185 <Address>192.168.0.2</Address>
186 <Protocol>ftp</Protocol>
187 <Timeout>10</Timeout>
190 ## End of sample 2 ## -->
192 <!-- ## ExtraSet sample 3 ##
193 <ExtraSet ExtraId="default" UserIdPattern="^user1$|^user2$">
196 <Facility>local2</Facility>
199 ## Caution: if no userid is entered, set as userid="?" ##
200 ## End of sample 3 ## -->
203 <!-- ## End of Configuration ## -->
209 <!-- ## Following is only documentation ## -->
211 <!-- ###### about ExtraSet #######
213 <ExtraSet> overwritten on default settings
215 You can switch parameter values by userID and extraID
216 entered as [userID@extraID] in userID field on auth page.
218 Each <ExtraSet> has conditions such as <.. ExtraId="aaa"> or
219 <.. UserIdPattern="bbb">.
220 The conditions is compared with the string entered in
223 When you set the condition as <.. ExtraId="aaa">,
224 the string [any_user@aaa] is matched and the ExtraSet is used.
226 When you set the condition as <.. UserIdPattern="bbb">,
227 the string [any_bbb_any] is matched.
228 UserIdPattern has the form of "POSIX Extended Regular Expression".
229 Matching is insensitive to upper/lower case.
231 The <ExtraSet> having both conditions is used when both are true.
232 Omitted condition matched to every string.
234 The first matched <ExtraSet> is used, at existing many matched set.
236 The paremeters in <ExtraSet> overwrite the default value.
237 When a parameter is not found in <ExtraSet>, the default is used.
239 When userID is entered without extraID, ExtraId matchs to "default".
240 Thus if you want to find [user1] only in default server,
241 use as <ExtraSet ExtraId="default" UserIdPattern="^user1$">.
243 Example1 is used when user entered as [any_user@guest],
244 where "any_user" is any string.
245 It means that [xxx@guest] uses different auth server.
247 Example2 is used when [anyuser@admin].
248 It means that [xxx@adimin] can use many auth servers.
250 Example3 is used when [user1] or [user2].
251 It means that [user1] and [user2] emerge specific syslog(eg. mail).
255 <!-- ###### About AuthServer setting ######
257 ########### Format #############
258 {a|b}: a or b, set one of them
262 #### TYPE 1 (POP or FTP) ####
264 <Protocol>{pop3|pop3s|ftp|ftpse|ftpsi}</Protocol>
265 <Address>{-hostname-|-ip_address-}</Address>
266 [ <Port>-portno-</Port> ]
267 [ <Timeout>-seconds-</Timeout> ]
269 # AuthOK, if request by <Protocol> is accepted by <Address>.
270 # Address is FQDN or IP address
271 # If <Port> is not defined, port number in /etc/services is used.
272 # The request is aborted at <Timeout> seconds.
273 # If <Timeout> is not defined, system value is used.
274 # pop3s is SSLed pop3
275 # ftpse is SSLed ftp run in Explicit mode.
276 # ftpsi is SSLed ftp run in Implicit mode.
278 #### TYPE 2 (PAM) ####
280 <Protocol>pam</Protocol>
281 [ <ServiceName>-servicename_in_pam_conf-</ServiceName> ]
282 [ <Timeout>-second-</Timeout> ]
285 # If not define <ServiceName>, "opengate" is used in "pam.conf".
287 #### TYPE 3 (RADIUS) ####
289 <Protocol>radius</Protocol>
290 [ <ConfFile>-path_to_radius_conf-</ConfFile> ]
291 [ <Timeout>-second-</Timeout> ]
294 # If not define <ConfigFile>, "/etc/radius.conf" is used.
296 #### TYPE 4 (LDAP) ####
298 <Protocol>ldap</Protocol>
299 <Uri>-uri-of-ldap-server-</Uri>
300 <BaseDN>-ldap_base_dn_to_search-</BaseDN>
301 [ <Timeout>-second-</Timeout> ]
305 # 'ldap://foo.bar.com' for NonSSL
306 # 'ldaps://foo.bar.com' for SSL
307 # 'ldaps://foo.bar.com:1234' to use specific port
309 #### TYPE 5 (ACCEPT or DENY) ####
311 <Protocol>{accept|deny}</Protocol>
313 # The user is accepted or denied without inquiry.
314 # This setting is prepared for debugging.
317 <!-- ######## Examples of Auth Server Setting ##############
319 <Address>pop.saga-u.ac.jp</Address>
320 <Protocol>pop3s</Protocol>
321 <Timeout>30</Timeout>
325 <Protocol>ldap</Protocol>
326 <Uri>ldaps://ldap.saga-u.ac.jp</Uri>
327 <BaseDN>ou=people,dc=saga-u,dc=ac,dc=jp</BaseDN>
332 <Address>192.168.0.1</Address>
333 <Protocol>ftpsi</Protocol>
334 <Timeout>15</Timeout>
338 <Protocol>radius</Protocol>
342 <Protocol>pam</Protocol>
346 <!-- ####### An Example of Multiple authentication servers ######
347 If multiple auth servers are set, check these servers sequentially.
348 When denied by a server, request is sent to the next one.
349 And when accepted by a server, following servers are ignored.
352 setting for first priority
355 setting for second priority
358 setting for third priority